MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
Non-profit organization MITRE announced Thursday that its Cyber Resiliency Engineering Framework (CREF) Navigator aligns with the U.S. Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC). The move will aid the defense industrial base (DIB) in structuring cyber resiliency strategies and enhancing supply chain strength.
The CREF Navigator aligns with NIST SP 800-171, the National Institute of Standards and Technology’s (NIST) publication designed to safeguard Controlled Unclassified Information (CUI), and the subset of NIST SP 800-172 that aligns with the proposed CMMC Level 3 model which has 24 of the 34 security requirements that address more sophisticated cybersecurity attacks.
“Our national security depends on the security of our defense systems and the supply chains to enable that defense,” Wen Masters, vice president for cyber technologies at MITRE, said in a media statement. “All along the supply chain, you need accountability in following the appropriate security requirements to build a resilient system. Resilience in the face of a cyber-attack is not a quick fix. Resiliency must be engineered before an incident.”
“To allow cyber engineers to customize the tool for their individual needs, we enhanced the CREF Navigator so users can create their own scenarios and apply different parameters of threats and techniques,” said Shane Steiger, principal cybersecurity engineer at MITRE. “Regardless of how you keep your security data, you can import your data into the CREF Navigator via a .csv file, and the visualization of the data can be exported back out to a .csv file. Later this year, we’ll add enhancements for Zero Trust Architectures.”
MITRE in partnership with NIST created the original cyber resiliency framework, NIST SP 800-160, Volume 2 (Rev. 1). The CREF Navigator, which debuted in early 2023, makes that NIST framework searchable and visualized. With the tool, engineers can make educated and informed choices while designing resilient cyber solutions.
Beyond pairing with CMMC, the CREF Navigator also aligns with the MITRE ATT&CK knowledgebase of tactics and techniques and Cyber Model-Based Systems Engineering (MBSE) for cyber threat modeling.
Earlier this week, MITRE unveiled ATT&CK v15, introducing improved detections, a new analytic format, and cross-domain adversary insights. The latest release encompasses enhancements spanning Enterprise, Mobile, and ICS (industrial control system), touching on Techniques, Groups, Software, Campaigns, and Defenses. Notably, there is a significant emphasis on enhancing ATT&CK’s defensive recommendations through a revamped analytic format.
Special attention has been given to incorporating detection analytics and guidance into the Execution Tactic of Enterprise ATT&CK, along with expanded defense coverage within the Cloud matrix.
Related
